[ports/core-arm.git] / glibc / CVE-2012-3406-Stack-overflow-in-vfprintf-BZ-16617.patch

From 6143805bb45e716829d86851e9372f55a136064b Mon Sep 17 00:00:00 2001
From: Jeff Law <law@redhat.com>
Date: Mon, 15 Dec 2014 10:09:32 +0100
Subject: [PATCH 35/37] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]

A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.

Conflicts:
	ChangeLog
	NEWS
---
 ChangeLog               | 13 +++++++++
 NEWS                    | 57 ++++++++++++++++++++++++++++++++++++++++
 stdio-common/Makefile   |  2 +-
 stdio-common/bug23-2.c  | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
 stdio-common/bug23-3.c  | 50 +++++++++++++++++++++++++++++++++++
 stdio-common/bug23-4.c  | 31 ++++++++++++++++++++++
 stdio-common/vfprintf.c | 40 ++++++++++++++++++++++++++--
 7 files changed, 260 insertions(+), 3 deletions(-)
 create mode 100644 stdio-common/bug23-2.c
 create mode 100644 stdio-common/bug23-3.c
 create mode 100644 stdio-common/bug23-4.c
 
diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c
new file mode 100644
index 0000000..9e0cfe6
--- /dev/null
+++ b/stdio-common/bug23-2.c
@@ -0,0 +1,70 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+static const char expected[] = "\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55\
+\n\
+a\n\
+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
+
+static int
+do_test (void)
+{
+  char *buf = malloc (strlen (expected) + 1);
+  snprintf (buf, strlen (expected) + 1,
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+	    "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
+	    "a", "b", "c", "d", 5);
+  return strcmp (buf, expected) != 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c
new file mode 100644
index 0000000..57c8cef
--- /dev/null
+++ b/stdio-common/bug23-3.c
@@ -0,0 +1,50 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+int
+do_test (void)
+{
+  size_t instances = 16384;
+#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
+  const char *item = "\na\nabbcd55";
+#define X3 X0 X0 X0 X0 X0 X0 X0 X0
+#define X6 X3 X3 X3 X3 X3 X3 X3 X3
+#define X9 X6 X6 X6 X6 X6 X6 X6 X6
+#define X12 X9 X9 X9 X9 X9 X9 X9 X9
+#define X14 X12 X12 X12 X12
+#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
+#define TRAILER2 TRAILER TRAILER
+  size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
+
+  char *buf = malloc (length + 1);
+  snprintf (buf, length + 1,
+	    X14 TRAILER2 "\n",
+	    "a", "b", "c", "d", 5);
+
+  const char *p = buf;
+  size_t i;
+  for (i = 0; i < instances; ++i)
+    {
+      const char *expected;
+      for (expected = item; *expected; ++expected)
+	{
+	  if (*p != *expected)
+	    {
+	      printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
+		      (size_t) (p - buf), i, *expected & 0xFF, *p & 0xFF);
+	      return 1;
+	    }
+	  ++p;
+	}
+    }
+  if (strcmp (p, TRAILER "\n") != 0)
+    {
+      printf ("mismatch at trailer: [%s]\n", p);
+      return 1;
+    }
+  free (buf);
+  return 0;
+}
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
new file mode 100644
index 0000000..a478564
--- /dev/null
+++ b/stdio-common/bug23-4.c
@@ -0,0 +1,31 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/resource.h>
+
+#define LIMIT 1000000
+
+int
+main (void)
+{
+  struct rlimit lim;
+  getrlimit (RLIMIT_STACK, &lim);
+  lim.rlim_cur = 1048576;
+  setrlimit (RLIMIT_STACK, &lim);
+  char *fmtstr = malloc (4 * LIMIT + 1);
+  if (fmtstr == NULL)
+    abort ();
+  char *output = malloc (LIMIT + 1);
+  if (output == NULL)
+    abort ();
+  for (size_t i = 0; i < LIMIT; i++)
+    memcpy (fmtstr + 4 * i, "%1$d", 4);
+  fmtstr[4 * LIMIT] = '\0';
+  int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
+  if (ret != LIMIT)
+    abort ();
+  for (size_t i = 0; i < LIMIT; i++)
+    if (output[i] != '0')
+      abort ();
+  return 0;
+}
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index f7e5f61..f423be6 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -263,6 +263,12 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
   /* For the argument descriptions, which may be allocated on the heap.  */
   void *args_malloced = NULL;
 
+  /* For positional argument handling.  */
+  struct printf_spec *specs;
+
+  /* Track if we malloced the SPECS array and thus must free it.  */
+  bool specs_malloced = false;
+
   /* This table maps a character into a number representing a
      class.  In each step there is a destination label for each
      class.  */
@@ -1678,8 +1684,8 @@ do_positional:
     size_t nspecs = 0;
     /* A more or less arbitrary start value.  */
     size_t nspecs_size = 32 * sizeof (struct printf_spec);
-    struct printf_spec *specs = alloca (nspecs_size);
 
+    specs = alloca (nspecs_size);
     /* The number of arguments the format string requests.  This will
        determine the size of the array needed to store the argument
        attributes.  */
@@ -1720,11 +1726,39 @@ do_positional:
 	if (nspecs * sizeof (*specs) >= nspecs_size)
 	  {
 	    /* Extend the array of format specifiers.  */
+	    if (nspecs_size * 2 < nspecs_size)
+	      {
+		__set_errno (ENOMEM);
+		done = -1;
+		goto all_done;
+	      }
 	    struct printf_spec *old = specs;
-	    specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+	    if (__libc_use_alloca (2 * nspecs_size))
+	      specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
+	    else
+	      {
+		nspecs_size *= 2;
+		specs = malloc (nspecs_size);
+		if (specs == NULL)
+		  {
+		    __set_errno (ENOMEM);
+		    specs = old;
+		    done = -1;
+		    goto all_done;
+		  }
+	      }
 
 	    /* Copy the old array's elements to the new space.  */
 	    memmove (specs, old, nspecs * sizeof (*specs));
+
+	    /* If we had previously malloc'd space for SPECS, then
+	       release it after the copy is complete.  */
+	    if (specs_malloced)
+	      free (old);
+
+	    /* Now set SPECS_MALLOCED if needed.  */
+	    if (!__libc_use_alloca (nspecs_size))
+	      specs_malloced = true;
 	  }
 
 	/* Parse the format specifier.  */
@@ -2045,6 +2079,8 @@ do_positional:
   }
 
 all_done:
+  if (specs_malloced)
+    free (specs);
   if (__glibc_unlikely (args_malloced != NULL))
     free (args_malloced);
   if (__glibc_unlikely (workstart != NULL))
-- 
2.2.1
Commit	Line	Data
3d9e9aa9 VM	1	From 6143805bb45e716829d86851e9372f55a136064b Mon Sep 17 00:00:00 2001
	2	From: Jeff Law <law@redhat.com>
	3	Date: Mon, 15 Dec 2014 10:09:32 +0100
	4	Subject: [PATCH 35/37] CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
	5
	6	A larger number of format specifiers coudld cause a stack overflow,
	7	potentially allowing to bypass _FORTIFY_SOURCE format string
	8	protection.
	9
	10	Conflicts:
	11	ChangeLog
	12	NEWS
	13	---
	14	ChangeLog \| 13 +++++++++
	15	NEWS \| 57 ++++++++++++++++++++++++++++++++++++++++
	16	stdio-common/Makefile \| 2 +-
	17	stdio-common/bug23-2.c \| 70 +++++++++++++++++++++++++++++++++++++++++++++++++
	18	stdio-common/bug23-3.c \| 50 +++++++++++++++++++++++++++++++++++
	19	stdio-common/bug23-4.c \| 31 ++++++++++++++++++++++
	20	stdio-common/vfprintf.c \| 40 ++++++++++++++++++++++++++--
	21	7 files changed, 260 insertions(+), 3 deletions(-)
	22	create mode 100644 stdio-common/bug23-2.c
	23	create mode 100644 stdio-common/bug23-3.c
	24	create mode 100644 stdio-common/bug23-4.c
	25
	26	diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c
	27	new file mode 100644
	28	index 0000000..9e0cfe6
	29	--- /dev/null
	30	+++ b/stdio-common/bug23-2.c
	31	@@ -0,0 +1,70 @@
	32	+#include <stdio.h>
	33	+#include <string.h>
	34	+#include <stdlib.h>
	35	+
	36	+static const char expected[] = "\
	37	+\n\
	38	+a\n\
	39	+abbcd55\
	40	+\n\
	41	+a\n\
	42	+abbcd55\
	43	+\n\
	44	+a\n\
	45	+abbcd55\
	46	+\n\
	47	+a\n\
	48	+abbcd55\
	49	+\n\
	50	+a\n\
	51	+abbcd55\
	52	+\n\
	53	+a\n\
	54	+abbcd55\
	55	+\n\
	56	+a\n\
	57	+abbcd55\
	58	+\n\
	59	+a\n\
	60	+abbcd55\
	61	+\n\
	62	+a\n\
	63	+abbcd55\
	64	+\n\
65	+a\n\
66	+abbcd55\
67	+\n\
68	+a\n\
69	+abbcd55\
70	+\n\
71	+a\n\
72	+abbcd55\
73	+\n\
74	+a\n\
75	+abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
76	+
77	+static int
78	+do_test (void)
79	+{
80	+ char *buf = malloc (strlen (expected) + 1);
81	+ snprintf (buf, strlen (expected) + 1,
82	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
83	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
84	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
85	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
86	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
87	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
88	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
89	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
90	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
91	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
92	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
93	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
94	+ "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
95	+ "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
96	+ "a", "b", "c", "d", 5);
97	+ return strcmp (buf, expected) != 0;
98	+}
99	+
100	+#define TEST_FUNCTION do_test ()
101	+#include "../test-skeleton.c"
102	diff --git a/stdio-common/bug23-3.c b/stdio-common/bug23-3.c
103	new file mode 100644
104	index 0000000..57c8cef
105	--- /dev/null
106	+++ b/stdio-common/bug23-3.c
107	@@ -0,0 +1,50 @@
108	+#include <stdio.h>
109	+#include <string.h>
110	+#include <stdlib.h>
111	+
112	+int
113	+do_test (void)
114	+{
115	+ size_t instances = 16384;
116	+#define X0 "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
117	+ const char *item = "\na\nabbcd55";
118	+#define X3 X0 X0 X0 X0 X0 X0 X0 X0
119	+#define X6 X3 X3 X3 X3 X3 X3 X3 X3
120	+#define X9 X6 X6 X6 X6 X6 X6 X6 X6
121	+#define X12 X9 X9 X9 X9 X9 X9 X9 X9
122	+#define X14 X12 X12 X12 X12
123	+#define TRAILER "%%%%%%%%%%%%%%%%%%%%%%%%%%"
124	+#define TRAILER2 TRAILER TRAILER
125	+ size_t length = instances * strlen (item) + strlen (TRAILER) + 1;
126	+
127	+ char *buf = malloc (length + 1);
128	+ snprintf (buf, length + 1,
129	+ X14 TRAILER2 "\n",
130	+ "a", "b", "c", "d", 5);
131	+
132	+ const char *p = buf;
133	+ size_t i;
134	+ for (i = 0; i < instances; ++i)
135	+ {
136	+ const char *expected;
137	+ for (expected = item; *expected; ++expected)
138	+ {
139	+ if (p != expected)
140	+ {
141	+ printf ("mismatch at offset %zu (%zu): expected %d, got %d\n",
142	+ (size_t) (p - buf), i, expected & 0xFF, p & 0xFF);
143	+ return 1;
144	+ }
145	+ ++p;
146	+ }
147	+ }
148	+ if (strcmp (p, TRAILER "\n") != 0)
149	+ {
150	+ printf ("mismatch at trailer: [%s]\n", p);
151	+ return 1;
152	+ }
153	+ free (buf);
154	+ return 0;
155	+}
156	+#define TEST_FUNCTION do_test ()
157	+#include "../test-skeleton.c"
158	diff --git a/stdio-common/bug23-4.c b/stdio-common/bug23-4.c
159	new file mode 100644
160	index 0000000..a478564
161	--- /dev/null
162	+++ b/stdio-common/bug23-4.c
163	@@ -0,0 +1,31 @@
164	+#include <stdio.h>
165	+#include <stdlib.h>
166	+#include <string.h>
167	+#include <sys/resource.h>
168	+
169	+#define LIMIT 1000000
170	+
171	+int
172	+main (void)
173	+{
174	+ struct rlimit lim;
175	+ getrlimit (RLIMIT_STACK, &lim);
176	+ lim.rlim_cur = 1048576;
177	+ setrlimit (RLIMIT_STACK, &lim);
178	+ char fmtstr = malloc (4 LIMIT + 1);
179	+ if (fmtstr == NULL)
180	+ abort ();
181	+ char *output = malloc (LIMIT + 1);
182	+ if (output == NULL)
183	+ abort ();
184	+ for (size_t i = 0; i < LIMIT; i++)
185	+ memcpy (fmtstr + 4 * i, "%1$d", 4);
186	+ fmtstr[4 * LIMIT] = '\0';
187	+ int ret = snprintf (output, LIMIT + 1, fmtstr, 0);
188	+ if (ret != LIMIT)
189	+ abort ();
190	+ for (size_t i = 0; i < LIMIT; i++)
191	+ if (output[i] != '0')
192	+ abort ();
193	+ return 0;
194	+}
195	diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
196	index f7e5f61..f423be6 100644
197	--- a/stdio-common/vfprintf.c
198	+++ b/stdio-common/vfprintf.c
199	@@ -263,6 +263,12 @@ vfprintf (FILE s, const CHAR_T format, va_list ap)
200	/* For the argument descriptions, which may be allocated on the heap. */
201	void *args_malloced = NULL;
202
203	+ /* For positional argument handling. */
204	+ struct printf_spec *specs;
205	+
206	+ /* Track if we malloced the SPECS array and thus must free it. */
207	+ bool specs_malloced = false;
208	+
209	/* This table maps a character into a number representing a
210	class. In each step there is a destination label for each
211	class. */
212	@@ -1678,8 +1684,8 @@ do_positional:
213	size_t nspecs = 0;
214	/* A more or less arbitrary start value. */
215	size_t nspecs_size = 32 * sizeof (struct printf_spec);
216	- struct printf_spec *specs = alloca (nspecs_size);
217
218	+ specs = alloca (nspecs_size);
219	/* The number of arguments the format string requests. This will
220	determine the size of the array needed to store the argument
221	attributes. */
222	@@ -1720,11 +1726,39 @@ do_positional:
223	if (nspecs * sizeof (*specs) >= nspecs_size)
224	{
225	/* Extend the array of format specifiers. */
226	+ if (nspecs_size * 2 < nspecs_size)
227	+ {
228	+ __set_errno (ENOMEM);
229	+ done = -1;
230	+ goto all_done;
231	+ }
232	struct printf_spec *old = specs;
233	- specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
234	+ if (__libc_use_alloca (2 * nspecs_size))
235	+ specs = extend_alloca (specs, nspecs_size, 2 * nspecs_size);
236	+ else
237	+ {
238	+ nspecs_size *= 2;
239	+ specs = malloc (nspecs_size);
240	+ if (specs == NULL)
241	+ {
242	+ __set_errno (ENOMEM);
243	+ specs = old;
244	+ done = -1;
245	+ goto all_done;
246	+ }
247	+ }
248
249	/* Copy the old array's elements to the new space. */
250	memmove (specs, old, nspecs * sizeof (*specs));
251	+
252	+ /* If we had previously malloc'd space for SPECS, then
253	+ release it after the copy is complete. */
254	+ if (specs_malloced)
255	+ free (old);
256	+
257	+ /* Now set SPECS_MALLOCED if needed. */
258	+ if (!__libc_use_alloca (nspecs_size))
259	+ specs_malloced = true;
260	}
261
262	/* Parse the format specifier. */
263	@@ -2045,6 +2079,8 @@ do_positional:
264	}
265
266	all_done:
267	+ if (specs_malloced)
268	+ free (specs);
269	if (__glibc_unlikely (args_malloced != NULL))
270	free (args_malloced);
271	if (__glibc_unlikely (workstart != NULL))
272	--
273	2.2.1
274